Running a scanner in GitLab

To start the scanner in lite SBOM mode in GitLab, when configuring image scanning in CI/CD process, edit the .gitlab-ci.yml configuration file as follows:

  1. Add information about the image of the scanner that is started for image scanning in CI/CD as follows:

    scan_image:

    stage: scanner

    image:

    name:repo.cloud.example.com/repository/company/scanner:v.2.0.0-lite

    entrypoint: [""]

    pull_policy: always

  2. Specify the orchestration platform tag as follows:

    k8s

    In the example provided, the k8s tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform.

  3. Specify such variables as the build ID, image registry data of the scanned image and certificate for secure connection to this registry, pipeline ID, and API token for authorization of requests from the CI/CD scanner in Kaspersky Container Security as follows:

    SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

    COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

    COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

    COMPANY_EXT_REGISTRY_TLS_CERT: ${COMPANY_EXT_REGISTRY_TLS_CERT}

    BUILD_NUMBER: ${CI_JOB_ID}

    BUILD_PIPELINE: ${CI_PIPELINE_ID}

    API_TOKEN: <API token value>

    HTTP_PROXY<proxy server for HTTP requests>

    HTTPS_PROXY<proxy server for HTTPS requests>

    NO_PROXY<domains or appropriate domain masks to be excluded from proxying>

    The details of the certificate for secure connection to the image registry in the COMPANY_EXT_REGISTRY_TLS_CERT variable are specified as a string in the .PEM format:
    -----BEGIN CERTIFICATE-----\n... certificate details > ...\n-----END CERTIFICATE----- .

  4. If necessary, specify a variable for scanning the API certificate of the solution:

    API_CA_CERT: ${KCS_CA_CERT}

    If the API_CA_CERT variable is not set, scanning will start but will not be completed.

  5. Specify the web address of the API host server for Kaspersky Container Security:

    API_BASE_URL: <web address>

  6. Specify the command to create an artifact when the scanner is started in one of the following supported formats:
    • To generate an artifact in the .JSON format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

    • To generate an artifact in the .HTML format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html

      artifacts:

      paths:

      - artifact-result.html

    • To generate an SBOM artifact in the .SPDX format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx

      artifacts:

      paths:

      - artifact-result.spdx

    • To generate an SBOM artifact in the .JSON format:

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --cdx --stdout > artifact-result.cdx.json

      artifacts:

      paths:

      - artifact-result.cdx.json

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .HTML format in GitLab

Page top